[Webkit-unassigned] [Bug 201303] New: [GTK] IconDatabase::writeToDatabase tries to use RefPtrs across threads

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 29 09:04:22 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=201303

            Bug ID: 201303
           Summary: [GTK] IconDatabase::writeToDatabase tries to use
                    RefPtrs across threads
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cturner at igalia.com
                CC: bugs-noreply at webkitgtk.org

IconDatabase::writeToDatabase copies it's m_iconsPendingSync values which seem to be created on the main thread into a Vector on its icon-sync thread. IconSnapshot contain a RefPtr<SharedBuffer>, and ref()'ing the SharedBuffer on the main thread and also a background thread is unsafe, and triggers assertions in recent WebKits,

#0  0x00007f4286c380ad in WTFCrash () at /home/ubuntu/webkit/webkit-git/Source/WTF/wtf/Assertions.cpp:305
#1  0x00007f4294382447 in WTF::RefCountedBase::applyRefDerefThreadingCheck (this=0x55d0083284c0) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:115
#2  0x00007f42943822f2 in WTF::RefCountedBase::ref (this=0x55d0083284c0) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:43
#3  0x00007f42949ec421 in WTF::refIfNotNull<WebCore::SharedBuffer> (ptr=0x55d0083284c0) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:38
#4  0x00007f42949e8106 in WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >::RefPtr (this=0x7f421801f9d0, o=...)
    at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:58
#5  0x00007f4294e0b388 in WebKit::IconDatabase::IconSnapshot::IconSnapshot (this=0x7f421801f9c0) at /home/ubuntu/webkit/webkit-git/Source/WebKit/UIProcess/API/glib/IconDatabase.h:61
#6  0x00007f4294e0e05c in WTF::Vector<WebKit::IconDatabase::IconSnapshot, 0ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<WebKit::IconDatabase::IconSnapshot&> (this=0x7f422e5f79d0, 
    value=...) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1346
#7  0x00007f4294e0b446 in WTF::Vector<WebKit::IconDatabase::IconSnapshot, 0ul, WTF::CrashOnOverflow, 16ul>::append<WebKit::IconDatabase::IconSnapshot&> (this=0x7f422e5f79d0, 
    value=...) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1304
#8  0x00007f4294e074bd in WTF::Vector<WebKit::IconDatabase::IconSnapshot, 0ul, WTF::CrashOnOverflow, 16ul>::appendRange<WTF::HashTableValuesIterator<WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, WebKit::IconDatabase::IconSnapshot>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String, WebKit::IconDatabase::IconSnapshot> >, WTF::StringHash, WTF::HashMap<WTF::String, WebKit::IconDatabase::IconSnapshot, WTF::StringHash, WTF::HashTraits<WTF::String>, WTF::HashTraits<WebKit::IconDatabase::IconSnapshot> >::KeyValuePairTraits, WTF::HashTraits<WTF::String> >, WTF::String, WebKit::IconDatabase::IconSnapshot> > (this=0x7f422e5f79d0, start=..., end=...) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1036
#9  0x00007f4294dfeeb5 in WebKit::IconDatabase::writeToDatabase (this=0x55d008157770) at /home/ubuntu/webkit/webkit-git/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:1472
#10 0x00007f4294dfddfa in WebKit::IconDatabase::syncThreadMainLoop (this=0x55d008157770) at /home/ubuntu/webkit/webkit-git/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:1256
#11 0x00007f4294dfc45e in WebKit::IconDatabase::iconDatabaseSyncThread (this=0x55d008157770) at /home/ubuntu/webkit/webkit-git/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:931
#12 0x00007f4294df857f in WebKit::IconDatabase::<lambda()>::operator()(void) const (__closure=0x55d0082b0b18)
    at /home/ubuntu/webkit/webkit-git/Source/WebKit/UIProcess/API/glib/IconDatabase.cpp:223
#13 0x00007f4294e04572 in WTF::Detail::CallableWrapper<WebKit::IconDatabase::open(const WTF::String&, const WTF::String&)::<lambda()>, void>::call(void) (this=0x55d0082b0b10)
    at DerivedSources/ForwardingHeaders/wtf/Function.h:52
#14 0x00007f429445a81d in WTF::Function<void ()>::operator()() const (this=0x7f422e5f7c30) at DerivedSources/ForwardingHeaders/wtf/Function.h:79
#15 0x00007f4286c6f3ff in WTF::Thread::entryPoint (newThreadContext=0x55d0082a4480) at /home/ubuntu/webkit/webkit-git/Source/WTF/wtf/Threading.cpp:148
#16 0x00007f4286cee2e5 in WTF::wtfThreadEntryPoint (context=0x55d0082a4480) at /home/ubuntu/webkit/webkit-git/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:200
#17 0x00007f42836036db in start_thread (arg=0x7f422e5f8700) at pthread_create.c:463
#18 0x00007f428332c88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190829/f49ae0d6/attachment-0001.html>

More information about the webkit-unassigned mailing list